fortigate-ipsec-40-mr3
fortigate-ipsec-40-mr3
fortigate-ipsec-40-mr3
You also want an ePaper? Increase the reach of your titles
YUMPU automatically turns print PDFs into web optimized ePapers that Google loves.
IPsec VPN in the web-based manager<br />
Local Gateway IP<br />
P1 Proposal<br />
DH Group<br />
Keylife<br />
If you selected Enable IPsec Interface Mode, specify an IP<br />
address for the local end of the VPN tunnel. Select one of the<br />
following:<br />
Main Interface IP — The FortiGate unit obtains the IP address<br />
of the interface from the network interface settings.<br />
Specify — Enter a secondary address of the interface selected<br />
in the phase 1 Local Interface field. For more information, see<br />
“Local Interface” on page 27.<br />
You cannot configure Interface mode in a transparent mode<br />
VDOM.<br />
Select the encryption and authentication algorithms used to<br />
generate keys for protecting negotiations and add encryption and<br />
authentication algorithms as required.<br />
You need to select a minimum of one and a maximum of three<br />
combinations. The remote peer or client must be configured to<br />
use at least one of the proposals that you define.<br />
Select one of the following symmetric-key encryption algorithms:<br />
DES — Digital Encryption Standard, a 64-bit block algorithm<br />
that uses a 56-bit key.<br />
3DES — Triple-DES, in which plain text is encrypted three<br />
times by three keys.<br />
AES128 — a 128-bit block Cipher Block Chaining (CBC)<br />
algorithm that uses a 128-bit key.<br />
AES192 — a 128-bit block Cipher Block Chaining (CBC)<br />
algorithm that uses a 192-bit key.<br />
AES256 — a 128-bit block Cipher Block Chaining (CBC)<br />
algorithm that uses a 256-bit key.<br />
Select either of the following authentication message digests to<br />
check the authenticity of messages during phase 1 negotiations:<br />
MD5 — Message Digest 5, the hash algorithm developed by<br />
RSA Data Security.<br />
SHA1 — Secure Hash Algorithm 1, which produces a 160-bit<br />
message digest.<br />
SHA256 — Secure Hash Algorithm 2, which produces a 256bit<br />
message digest.<br />
To specify a third combination, use the Add button beside the<br />
fields for the second combination.<br />
Select one or more Diffie-Hellman groups from DH group 1, 2, 5<br />
and 14. At least one of the DH Group settings on the remote peer<br />
or client must match one the selections on the FortiGate unit.<br />
Failure to match one or more DH groups will result in failed<br />
negotiations.<br />
Enter the time (in seconds) that must pass before the IKE<br />
encryption key expires. When the key expires, a new key is<br />
generated without interrupting service. The keylife can be from<br />
120 to 172 800 seconds.<br />
FortiOS Handbook v3: IPsec VPNs<br />
01-434-112804-20120111 29<br />
http://docs.fortinet.com/